Overview

overview

10

Static

static

7

74f431ce5b...68.exe

windows7-x64

8

74f431ce5b...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 16:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74f431ce5bc17e1523b38eec734d9c68.exe

  • Size

    66KB

  • MD5

    74f431ce5bc17e1523b38eec734d9c68

  • SHA1

    765e8ee95a455fc8e545e247c3beff4a0b84d5ce

  • SHA256

    9fe372a8eba0110c955fb7e14a35d816e90b0e3a138a25149c1d29c9e4e0bd99

  • SHA512

    45f05d5eadffeea57234bc21a21c07310938f1320de5169e1ead0df354b6dbf4543302047d75bcc2a48d6e96760efcce73dbc7ed33b5519b89923d62431e6d2b

  • SSDEEP

    1536:bxiNXxDtjW3YXq1mBqZyrnQN0gMt3RySgGakaY/Wjd+LMC:bxiNhDtqIaU0yrno0ZthPggDcq

Score
8/10
aspackv2persistence

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74f431ce5bc17e1523b38eec734d9c68.exe
    "C:\Users\Admin\AppData\Local\Temp\74f431ce5bc17e1523b38eec734d9c68.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Program Files (x86)\Common Files\notepad.exe
      "C:\Program Files (x86)\Common Files\notepad.exe" C:\Users\Admin\AppData\Local\Temp\74f431ce5bc17e1523b38eec734d9c68.exe
      2⤵
      • Executes dropped EXE
      • Opens file in notepad (likely ransom note)
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\5D4C.tmp" "8A'+  [=[SCMR'8[=' U"
        3⤵
        • Sets DLL path for service in the registry
        • Loads dropped DLL
        • Drops file in System32 directory
        PID:2036
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5D4C.tmp
    Filesize

    101KB

    MD5

    5732e816e2b58a1c1eafdb8bc11cc00a

    SHA1

    cbbc16d43171c2da3244955341f1bb5ed1784c45

    SHA256

    b7f8acfcc9da8c954a5e381b5e9081cd28eb29f88778a0de24ba522eaaf94f98

    SHA512

    ea068ad71a725ac06a087ae48b9f7ae05468fd213c552b3a42ad57765ebfdd57de2b5cc7bcbf698cf80c7284d93140764092a69f840873abee3551f37b5fae19

    Download Submit
  • \Program Files (x86)\Common Files\notepad.exe
    Filesize

    66KB

    MD5

    74f431ce5bc17e1523b38eec734d9c68

    SHA1

    765e8ee95a455fc8e545e247c3beff4a0b84d5ce

    SHA256

    9fe372a8eba0110c955fb7e14a35d816e90b0e3a138a25149c1d29c9e4e0bd99

    SHA512

    45f05d5eadffeea57234bc21a21c07310938f1320de5169e1ead0df354b6dbf4543302047d75bcc2a48d6e96760efcce73dbc7ed33b5519b89923d62431e6d2b

    Download Submit
  • memory/2036-13-0x00000000000B0000-0x00000000000CF000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2036-19-0x00000000000B0000-0x00000000000CF000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2052-9-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2132-10-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2768-18-0x0000000000190000-0x00000000001AF000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2768-20-0x0000000000190000-0x00000000001AF000-memory.dmp
    Filesize

    124KB

    Download